Commit Graph

29626 Commits

Author SHA1 Message Date
Sean Parkinson 59f84355a5 Merge pull request #9573 from night1rider/aes-free-callbacks
Aes Free callback support
2025-12-23 08:47:05 +10:00
Sean Parkinson c8f2cc5b43 Merge pull request #9566 from dgarske/ca_skid_cert_akid
Added build option to allow certificate CA matching using AKID with signers SKDI
2025-12-23 08:40:14 +10:00
Anthony Hu cb2a80bf53 Guard a bit of DTLS code. 2025-12-22 17:05:47 -05:00
night1rider afbc65a6c3 Aes Free callback support 2025-12-22 12:39:41 -07:00
Kareem 8de470b436 Add new WOLFSSL_RNG_USE_FULL_SEED macro to known macros. 2025-12-22 11:49:27 -07:00
Kareem fe45b74921 Add trailing newline back to ssl.h. 2025-12-22 11:45:25 -07:00
Mattia Moffa ca78994298 Add missing length check in sniffer for AES-GCM/AES-CCM/ARIA-GCM 2025-12-22 16:13:27 +01:00
Marco Oliverio 29d8fa7cb6 tls13: fix indentation alignment 2025-12-22 13:45:34 +01:00
Marco Oliverio 540fae80ab test_dtls: test payload split when WOLFSSL_NO_DTLS_SIZE_CHECK 2025-12-22 13:41:33 +01:00
Marco Oliverio 8cbc4047df internal: rename to use wolfssl internal prefix 2025-12-22 13:41:33 +01:00
Marco Oliverio aa4fb5d3e5 internal: GetMaxPlainTextSize: precise pad size when adjusting for MTU 2025-12-22 13:41:33 +01:00
Marco Oliverio 1200efdeb3 internal: GetRecordSize: precise header computation on fallback path 2025-12-22 13:41:33 +01:00
Marco Oliverio 75e7d5e9bd fix: split message > MTU on WOLFSSL_NO_DTLS_SIZE_CHECK 2025-12-22 12:49:31 +01:00
Sean Parkinson da06e1aeea Merge pull request #9558 from kareem-wolfssl/zd20944_2
Move Curve25519 public key check to make_pub/make_pub_blind to cover the case where they are called directly by an application.
2025-12-22 19:38:42 +10:00
Sean Parkinson 7a326ef43f Merge pull request #9553 from julek-wolfssl/ed25519-export-key-check
ed25519: validate presence of keys in export functions
2025-12-22 19:31:14 +10:00
Marco Oliverio 14b124769a use wolfssl internal prefix for MaybeCheckAlertOnErr 2025-12-22 10:04:50 +01:00
Marco Oliverio 12c2cdafaf rename wolfSSL_MaybeCheckAlertOnErr in wolfMaybeCheckAlertOnErr 2025-12-22 09:51:06 +01:00
Marco Oliverio f4c48c19c1 fix: abide unused arguments when WOLFSSL_CHECK_ALER_ON_ERR is disabled 2025-12-22 09:51:06 +01:00
Marco Oliverio 38d8eb6f0d address reviewer's comments 2025-12-22 09:51:06 +01:00
Marco Oliverio 950c074c25 test: fix typo in structure field 2025-12-22 09:51:06 +01:00
Marco Oliverio 8de68decd2 test: tls13_early_data: test WANT_WRITE in early data 2025-12-22 09:51:06 +01:00
Marco Oliverio 609e30a69c test: tls13_early_data: refactor splitEarlyData test option 2025-12-22 09:51:06 +01:00
Marco Oliverio 57282140a9 WOLFSSL_CHECK_ALERT_ON_ERR: ignore non fatal errors 2025-12-22 09:51:06 +01:00
Marco Oliverio 093d77727b early_data: avoid resetting ssl->earlyData after WANT_WRITE retry 2025-12-22 09:51:06 +01:00
Marco Oliverio a1c8790039 wolfssl: preserve early-data handling across WANT_WRITE retries
The early-data logic setups "early" exits in Accept/Connect state machine so
that the data exchanged during the handshake can be delivered to the
caller.

After the caller process the data, it usually calls Accept/Connect again
to cotinue the handshake.

Under non-blocking I/O there is the chance that these early exits are
skipped, this commit fixes that.

Server-side accept (TLS 1.3/DTLS 1.3) could skip the early-data shortcut
whenever sending the Finished flight first hit WANT_WRITE: when Accept
is called again and the data is eventually flushed into the I/O layer
the accept state is advanced past TLS13_ACCEPT_FINISHED_SENT, so the
next wolfSSL_accept() call skipped the block that marks
SERVER_FINISHED_COMPLETE and lets the application drain 0-RTT data. By
keeping the FALL_THROUGH into TLS13_ACCEPT_FINISHED_SENT and only
returning early while that handshake flag is still unset, we revisit the
shortcut immediately after the buffered flight is delivered, preserving
the intentional behaviour even under non-blocking I/O.

On the client, the same pattern showed up after SendTls13ClientHello()
buffered due to WANT_WRITE: after flushing, the connect state is already
CLIENT_HELLO_SENT so the early-data exit is no longer executed. We now
fall through into the CLIENT_HELLO_SENT case and only short-circuit once
per handshake, ensuring the reply-processing loop still executes on the
retry.
2025-12-22 09:51:05 +01:00
Hideki Miyazaki fc583d068f add SK-S7G2 support
Update README based on copilot suggestion
2025-12-20 10:32:09 +09:00
Kareem adf38007f4 Document wolfSSL_CTX_New's behavior on failure around WOLFSSL_METHOD.
Fixes #9517.
2025-12-19 17:19:45 -07:00
Kareem ac98505204 Document wolfSSL_CTX_set_default_passwd_cb and wolfSSL_CTX_set_default_passwd_cb_userdata.
Fixes #6008.
2025-12-19 17:18:45 -07:00
Kareem 7c4feb5e87 Improve the error message returned by BAD_KEY_SHARE_DATA.
Fixes #9084.
2025-12-19 17:17:33 -07:00
Kareem 5b473f6b9b Add SSL_get_rfd and SSL_get_wfd.
Fixes https://github.com/wolfSSL/wolfssl-nginx/issues/25.
2025-12-19 17:16:35 -07:00
Kareem b6766106c8 Add documentation for Base16_Encode and Base64_Encode's behavior of adding a NULL terminator byte.
Fixes #5602
2025-12-19 17:15:44 -07:00
Kareem a1999d29ed Only enforce !NO_FILESYSTEM for WOLFSSL_SYS_CA_CERTS on non Windows/Mac systems.
wolfSSL's support for WOLFSSL_SYS_CA_CERTS uses APIs which don't depend on !NO_FILESYSTEM
on Windows/Mac.

Fixes #8152.
2025-12-19 16:37:50 -07:00
JacobBarthelmeh 0a0c43054f Merge pull request #9564 from douzzer/20251219-fixes
20251219-fixes
2025-12-19 16:24:20 -07:00
Kareem 3e59b83727 Only keep /dev/urandom open, close /dev/random after each use.
Improve logic for opening RNG seed FD.
2025-12-19 15:57:49 -07:00
Kareem fe105d4b48 Add a flag which allows requesting exactly SEED_SZ and using the full seed to instantiate the DRBG during RNG init.
This flag can not be used with FIPS.
2025-12-19 15:25:15 -07:00
David Garske 1cb2231ff5 Added build option to allow certificate CA matching using AKID with signers SKID ( WOLFSSL_ALLOW_AKID_SKID_MATCH). Fixed issue with cert->extAuthKeyIdSz not being set with ASN template code. 2025-12-19 14:14:39 -08:00
Daniel Pouzzner a7550346dd wolfcrypt/test/test.c: in rng_seed_test(), fix gates for FIPS 5.2.4. 2025-12-19 15:50:27 -06:00
Daniel Pouzzner d3f74557fe wolfcrypt/src/wolfentropy.c: add volatile attribute to entropy_memuse_initialized declaration; in wc_Entropy_Get(), if HAVE_FIPS, call Entropy_Init() if necessary, to accommodate FIPS KATs; in Entropy_Init(), add thread safety. 2025-12-19 15:45:17 -06:00
JacobBarthelmeh d5723d0d89 Merge pull request #9544 from julek-wolfssl/gh/9362
Check KeyShare after HRR
2025-12-19 14:36:31 -07:00
David Garske 1825bd86f5 Merge pull request #9550 from JacobBarthelmeh/caam
sanity checks on buffer size with AES and CAAM Integrity use
2025-12-19 11:03:40 -08:00
JacobBarthelmeh d26c11c626 Merge pull request #9551 from josepho0918/iar
Add IAR support to WC_OFFSETOF macro
2025-12-19 11:36:33 -07:00
JacobBarthelmeh 8153ea6189 Merge pull request #9559 from cconlon/pkcs7SignedNonOctet
Fix PKCS#7 SignedData parsing for non-OCTET_STRING content types
2025-12-19 11:12:06 -07:00
Daniel Pouzzner 6f95a9c58e wolfcrypt/src/random.c: in _InitRng(), remove "drbg_instantiated" conditional cleanup logic (Coverity true-benign-positive: DEADCODE because drbg_instantiated is always false when ret != DRBG_SUCCESS). 2025-12-19 10:30:14 -06:00
Daniel Pouzzner fb26b2dfe1 wolfcrypt/test/test.c: in HMAC tests, initialize ret, to silence uninitvar from cppcheck-force-source. 2025-12-19 09:07:14 -06:00
Daniel Pouzzner 96c47cd18c wolfcrypt/test/test.c: in _rng_test(), inhibit the WC_RESEED_INTERVAL subtest if an rng callback is installed. 2025-12-19 08:55:35 -06:00
Juliusz Sosinowicz dd35f10b57 ed25519: validate presence of keys in export functions 2025-12-19 10:14:26 +01:00
JacobBarthelmeh a3072c7a8d fix for shadows global declaration warning 2025-12-18 17:18:39 -07:00
Chris Conlon afe82b9512 Fix PKCS#7 degenerate detection based on signerInfos length 2025-12-18 16:28:03 -07:00
Chris Conlon d6dcd30736 Fix PKCS#7 streaming for non OCTET STRING content types 2025-12-18 16:28:01 -07:00
JacobBarthelmeh bbc3a72ea8 Merge pull request #9556 from julek-wolfssl/rng-tools-timeout-fix
rng-tools: increase jitter timeout
2025-12-18 15:59:42 -07:00